How To Secure Against Computer Attacks
by Peter Benjamin
prepared for Web Spinners Meeting November 3rd, 2001

Abstract: An Overview of Home/Office Computer Protection

Today there exists new threats to everyone's future and well being
in the form of denial of service (DOS) attacks against the computer
networks that form the underpinnings of the international economy.
This paper presents some of the issues involved and how you can
be directly responsible for reducing the potential of cyberterrorism.

How to prevent a cyberattack?

Risk assessment is the first step
followed by several angles on cost analysis of key components
of what is being protected and the security software
and policies to protect it. Design security from top down.

Determine Economic Risks

Determine Technical Risks

Costs of Risks determine policy

Policy sets security funding levels

Funding levels selects the countermeasures

Countermeasures determine procedures

Enterprise security strategy and security architecture
will be endorsed by executives and they
ensure compliance with security procedures.
Staff will be trained and tested
in procedures and software methods.

Economic Risks

Determine cost of data on computer.

Business data is extremely valuable.

Refunding your client's money...
It's not going to happen... You spent it already.

How do you make good network security work?

Simply putting a firewall up and
monitoring what comes through it is a very big oversight.
Don't rely on a product to give you good security.
The return on security investment depends upon business
requirements and spending not too little nor too much.

No single silver bullet

No comprehensive computer solution

Staff involvement required

Policies and Procedures

Annual retraining

Layer protective measures

Firewall (hardware or software based)

AntiVirus Scanning

Incoming WAN Traffic

Outgoing WAN Traffic

Internal LAN Traffic

Local Computer - Email Readers

HTML based mail

Scripting (JavaScript, Visual Basic, Java, etc)

External Tracking URLs/Images

Attachments: virus/worm payloads

Monitoring (sniffers, etc)

Monitoring depends on risk assessment from business requirements

Squishware (Staff monitoring):

Cameras

Spot checks

Computer Hardware Monitoring:

Traffic streams

Monitor Network Traffic on both sides of the firewall

the WAN external port

the LAN spanning port

Monitor Internal Traffic

Removal media file access

Switch traffic between computers

Monitor Audit Trails on a regular basis

File accesses

Access attempts

Command history

Keyboard sniffers

What to do if you suspect an attack?

Suspicion of an attack comes from many symptoms:

Someone telling you,

Crashing computer,

Slow computer,

Slow network services or internet access,

Network lights flashing or continuous on,

Loss of network service or internet access,

Hard drive excessive sound,

Excessive hard drive access lights flashing or continuous on,

Emails going out you did not queue,

New files not installed or created by you,

Corrupted files,

Missing Files,

Any unknown or unpredictable computer behavior,

Pop up messages, or

Ants crawling on the screen.

Attacks come in many flavors now.

Virus/Worms in downloads or emails threaten

Data Destruction,

Data Corruption,

Data Theft,

Credit Card Information

Identity Theft

Financial Dealings (money spreadsheets)

Contract Negotiations

Insider Trading

Loss of CPU time (distributed computing),

Loss of Hard drive space (FTP upload - CD/DVD sharing ala Napster),

'Zombied' Computer under hackers' control,

Network disruption or slowdown,

Loss of internet connectivity or service, and

Hardware failures.

Denial of Service (DOS) and Distributed DOS (DDOS)

Domain Name Theft

Government Involvement for large businesses is possible now.

Contact the local FBI office. Their current involvement limit is rumored
to be a potential loss of $100,000 or greater for them to take a further report.

InfraGard, sponsored by the NIPC, provides a forum about computer crime.
InfraGard hosts educational seminars around the country.

If you think you have been targeted the FBI/NIPC/InfraGard is a powerful tool.

Small Businesses and Home Users should disconnect the LAN/computer from the network,
unless prepared to immediate attack analysis, which requires specialized knowledge and software tools to analysis traffic and isolate suspect traffic and determine what
the suspect activity is doing in order to determine the appropriate response including but not limited to countermeasures, audit trail printout, and attacker identification.

Tracking an attacker to identify them is beyond the means of most businesses and computer consumers.

Be Prepared. Learn now what to do. Get the FAQ and study it.

Read up at your Anti Virus site what you can do (find the FAQ).

Visit www.cert.org or similar organization for the FAQ.

What to do if attacked?

Attacks now vary across a wide range with different responses.
Some attacks can be resolved on your computer, others your ISP
would become involved, and the FBI NIPC is available for espionage
type attacks.

Small Businesses and Home Users

Disconnect your computer from the network (either LAN or WAN)

Turn off the modem or unplug the modem cable or phone line (either end).

Unplug the RJ45 jack out of the hub, router, or computer.

Download the most recent DAT file for your AntiVirus Software

Use a second computer, a neighbor's, colleagues', friend's computer,

use the library computer

Run the AntiVirus software from CD ROM or read only diskette.

Check you outgoing email for email possible sent by the virus/worm.

Check your data files for corruption against your back ups.

Check your operating system for possible hacker installed back doors.

Large businesses should follow established procedures.
Typically the procedure includes immediately contacting a
computer system administrator and let them handle it.

Hacker, Attacker, or Cyberterrorist?

There is now the new threat of cyberterrorist to be countered.
Or so many security consultants, companies, and government
agencies and departments would have you believe. They may
be right. Certainly, the recent email worms, Code Red and
Nimda, have shown the availability of resources and privacy
of data are easily attacked. Extending these prank attacks
to terrorist levels is an easy stretch of the imagination,
and is equally easy to achieve for the terrorist.

The threat is real of losing a responsive international network
and with severe impact of financial transactions that now share
the same bandwidth that would be under attack.

These new threats mean we must pick up the slack and
protect the underpinnings of our society as
an obligation to the American people for
every computer owner.

[parts below are an uncredit quote (at this time)]

Hackers

Hackers are interested in exploiting the detailed underpinnings of the Internet and its security ramifications for their own personal enjoyment,
or for some desire to make a name for themselves.

The mind set of the hacker is "I want to do something either for the shear thrill of the challenge or for the public recognition of my abilities."

Many hackers will invade privacy, but not steal or destory data.

Hackers that invade privacy, steal or destory data are listed here as Attackers.

For these hackers it is the thrill of knowing when you booted
your computer a message "The Cat Has Stuck" appears or ants
crawl across your screen.

There is controversy if the later offense rates
punish equal to the former.

The laws are under review to make both crimes equally punished or not.

Cyberterrorist

The cyberterrorist is a completely different animal.

If you look at traditional terrorist movements and what they are trying to accomplish, you see things that are very insidious, well-planned, highly rehearsed, and well-coordinated.

That's what makes the recent events of the WTC bombings so terrifying to America is the degree of coordination it took to execute that attack and planning with which how to actually strike into the heart of the American psyche.

A terrorist tries to build awareness of his goals and change international events.

From the cyberterrorist perspective, look for highly planned, well-researched attacks on critical pieces of information infrastructure rather than something that indiscriminately targets a wide variety of sources, for instance, a widespread denial of service attack.

How to lockout attacks?

Control Internet access.

[parts below are an uncredit quote (at this time)]

Build a program that understands what access you require to achieve your business objectives, and eliminate everything else.

Technically you can do that through routers and firewalls.

You can monitor that compliance through intrusion detection.

Most importantly, you need to respond when you see a problem.

Incident response is one area we fail in.

Don't be afraid, be encouraged, be proactive about going out and doing the right thing from a security perspective.

We stand a chance of actually making a difference here.

Small Office and Home Consumers

Here are the must have, must do protections:

Install a firewall

Types of Firewalls

Hardware based for broadband cable or DSL - cost $80 to $180.

Software based for modem, cable or DSL - cost FREE!!! to thousands.

Configure the firewall

Activate the firewall

Test your firewall configuration.

If it does not work due to misconfiguration ...
better learn this sooner, not later.

Test that your firewall works upon rebooting.

Install AntiVirus (AV) software

Update the AV DAT regularly.
Purchase the auto update feature.

Patch your software

Enable auto update, if available.

Be Prepared - Invest time in learning these things:

How firewalls are configured.

How firewalls are tested.

How to Test your firewall configuration.

How AntiVirus software works.

How to configure, activate and run the AntiVirus software

How to determine if the AV is activated.

How to determine if the AV is actively scanning what you think it should be.

Most AV software is self testing, but must be activated,
especially upon rebooting, usually automatically by setting
the configuration option.

Configuring the AV Software

How to enable download scanning

How to enable email scanning

How to enable email attachment scanning

How to enable compressed or archived format files scanning

How to enable Master Boot Record (MBR) scanning

Scanning Files

What file types to scan, and when

How to scan files on diskette

How to scan files on the hard drive

Whether to encrypt your email and files

Privacy has always been a concern for the American.

Privacy issues abound on the internet and web.

It is not possible to cover most of these privacy issues.

Here are some email encryption highlights.

Both business and personal matters are legit reasons to encrypt email.

No all such email requires encrypting.

Your ISP and any intervening computer or admin staff for those computers
can read your email.

Encryption will prevent such reading.

Only the person(s) with the decoding key can read the email.

Some encryption schemes have two separate keys,
one for encoding, the other for decoding,
thus the encoder can not decode their own message.
Such schemes are considered 'better' long term protection than single key schemes
as the sending party can not compromise the decoding key to other parties.

Government Email Scanning Facts

Yes, it happens.

No laws currently protect the privacy of digital communications.

Only domestic analog/voice communications have some legal privacy protection laws.

International digital and analog communications are always scanned by
the USA government.
Profiled messages are automatically recorded for later human review.

Encrypted emails increases the burden of federal authorities
in determining that your encrypted email is not threatening
in nature to national security.

Some (perhaps fanatical) privacy advocates promote encryption of all emails
and/or inclusion of select keywords,
in clear text - typically in the signature block,
known to trigger the government's monitoring software
in order to overburden it and defeat it's invasion of privacy.

Some privacy advocates are now rethinking that activity
in light of the recent terrorist attacks.

Here are some file encryption highlights.

Encrypted files, if stolen, seldom are decryptable by the thief.

Decryption keys when stolen compromise all encrypted files.
Changing the encryption is necessary.

If stolen encrypted files are valuable,
the thief is likely to come back for the decryption key,
but by a different route. Social engineering is possible.

Encrypted files sometimes break resulting in loss of ALL data.

Backing up un-encrypted files and storing offline is safe.

How Security Software Works

The software methods and policies of good security will be
overviewed with some in depth discussion on selected topics:

Computers and data are protected by restricting access.

Computers are protected with this methods:

It prevents some incoming attempts to access computers.

It prevents those incoming attempts on legitimate ports from loading viruses.

It creates an audit trail for review and
a realtime printed version for legal purposes like court prosecution.

It works best when all staff follow all security procedures, to the letter.

Restrict access by special operating systems using userids and passwords.

Encypting the data file so only people with the key can read the file.

How encryption works

Encryption is a two part process, the first part is encrypting
the source material in a format that is not readable by person
nor any application. The second part is reversing or decrypting
the first part so the file can be read again by a person or
software application.

Due to the complexity only an overview is within the scope of this paper.

The source file is processed by the encryption software
and the results stored into a second file.

Typically, this involves a mathematical scrabbling
of the data according to rules that use a special key value
in order to create an unique scrabbling for just that one key.

There are billions of billions of keys to choose from.

That is where the security comes from.

While every one knows what the range of valid keys are,
to try them one at a time until the encrypted file is
'cracked' would take billions of years.

Descrambing involves reversing the mathematics
to recreate the original source material.

There are many types of encryption algorithms or ciphers.

Some ciphers require the same key to encrypt and decrypt.

Other ciphers have two keys, one to encrypt that can be known
by the public, and the other key to decode and is only known
by the person who created the two keys for their private use.

This 'key pair' is also known as a public/private key.

Such key pairs are good for sending emails.

How viruses work, detected, and removed.

Viruses come in a variety of types.
Only a brief overview is within the scope of this paper.

What is a Virus? Some Virus Facts.

The virus is a computer file, like any other file.

The virus must run or execute on the computer
in order to truly infect it and have bad effects.

The virus 'inserts' itself into other programs and hard drives.

This insertion sometimes damages the program.

Sometimes the damage is severe enough the program does not run.

A program that does not appear to run, may still be spreading the virus
to other files on your computer and other hard drives, sending emails, etc.

Virus Trivia

It is possible to store a virus file on your computer.
If it never runs, then there are no bad effects.
If someone runs it by mistake...

Most professionals store their virus samples
in password protected archives
where they can not be easily run by accident.

Virus Detection

Run the AntiVirus Software

If it was running, then

a pop up window may alert you to the fact a virus was found,

what action was taken,

and whether the removal was complete,

or do you have to manually finished the removal.

Virus Removal

AntiVirus software often completely removes the virus.

Some virus require you to complete the removal.
The AV software will instruct you or will provide where
to get the instructions, usually an URL.

YOU MUST COMPLETE THE MANUAL REMOVAL

Sometimes, the virus in only inactive, or damaged portions
of the operating system must be restored before rebooting.

Usually, the instructions are very much step by step and can
be completed by any one who knows what a menu item and mouse
click is and how to type.
Hire a professional if you can not understand the instructions.
Or let your sibling or neighbor's kid to it. It is often that easy.

Some viruses can not easily be removed.

These are called 'stealth' virus and they 'hide' themselves.

How the new email worms work

The two recent email worms that received world wide attention
due to the rapid speed of infecting millions of computers are
named Code Red and Nimda. These email worms are explained.

Code Red and Nimda work only on Windows Operating Systems.

Macintosh and Unix and other OS'es are immune.

Both viruses appear to have started from a free virus creation
toolkit that allows drag and drop of features.

The Code Red and Nimda email worms work only with MS Outlook,
My Documents Folder and its files, IIS (MS's web server),
and IE web cache as follows:

After MS Outlook checks your incoming email at your ISP and
downloads the email to your computer's inbox file,
then Outlook reads each email for selected header fields
and displays an email selection list with those field values.

A LookOut feature is/was (a patch is available that removes this
feature) that the entire email body was parsed at header scanning
time and all Visual Basic code was run or executed.

Thus, without you selecting, highlighting, or reading the email,
the virus was activated by Outlook.

The Nimda is a modified drag and drop virus with some
features the professionals do not yet understand.
These features might include:

Automatic deletion of all files on the computer

Code(s) to be run on specific dates and/or times.

Back Doors

Trojan Horses

Viruses

Other Worms

Other infection vectors

How ISPs are virus scanning your email

Your ISP may have purchased special bulk incoming email
anti virus scanning software. Here is how these bulk
scanners work.

Incoming emails to your ISP for you are first scanned
for HTML format and attachment viruses.

Attachments that are compressed archives are openned
and the individual files are scanned.

At no time is data examined, only DAT file virus definition
strings are scanned for.

The cleaned email is then sent to the normal email server.

The email server puts the email into your inbox.

How firewall software works

Firewall software is becoming both exceeding complex and
easier to configure. The ease of configuration is from
add on front ends that contain predefined common configurations
to protect home consumers, and small and large offices.

Due to the complexity only an overview is within the scope of this paper.

The types of traffic is dividing into these four

Outgoing Initiating traffic (login in)

Outgoing Follow up traffic (file transfer)

Incoming Initiating traffic (the dangerous stuff to block)

Incoming Expected traffic (requested files like web pages)

Most firewalls are configured like this:

Allow ALL outgoing
Except those applications that are block by company policy

Allow ALL Incoming Expected traffic

Block or deny ALL Incoming traffic that is not expected.
Except those applications that are permitted for remote access
by salespersons, perhaps from an authorized userid list or IP number list
or both.

How sniffers work

Sniffers know what network traffic looks like
and displays that data to the user.

Due to the complexity only an overview is within the scope of this paper.

Network traffic generally is not readable by a person,
or enough so that sniffer software is needed.

Sniffer software presents the traffic in a more readable format.

Sniffer software limits the traffic to display to the traffic
that meets the rules set by the user.

Sniffer software will reconstruct the original files or
inputs of the sender for the user to review.

Alerts are of many action levels,
that is some are just logged,
others are considered more critical and
are configured to send emails or even page staff.

Logging actions typically list a summary,
including the pattern number,
the alerts issued,
but not the full details of the suspect traffic,
unless so configured to stored the suspect traffic for later review.